You are on page 1of 5

International Journal of Emerging Technologies and Engineering (IJETE)

Volume 2 Issue 4, April 2015, ISSN 2348 8050

DUALSHIELD: NETWORK ATTACK DETECTION & PREVENTION


Nitin Nimase *, Reshma Thombre **, Monali Tingare***, Sonali Tingre****
*BE (ComputerEngg), AISSMSS COE, Savitribai Phule University of Pune
**BE (ComputerEngg), AISSMSS COE, Savitribai Phule University of Pune
***BE (ComputerEngg), AISSMSS COE, Savitribai Phule University of Pune
****BE (ComputerEngg), AISSMSS COE, Savitribai Phule University of Pune

ABSTRACT
Internet one of the important means of communication
and a source of information have become an inseparable
part of daily life. Web services have advanced to multitiered design wherein the web server runs various
applications at front-end logic and data are outsourced to
file server or database. Internet is broadly used and so
the web servers along with database servers are prone to
various attacks. In order to prevent these attacks, we try
to monitor both web and consequent database requests to
ferret out attacks, those independent IDS would not be
able to identify. Intrusion Detection Systems (IDS) are
designed to protect nasty activities or policy violations
and generate reports for management of sessions.
Intrusion detection is the process of identifying possible
events, login information, documenting existing threats
and identifies problems in security policies. An IDS
examines all inbound and outbound network activities
and search for a specific attack that is previously
documented. The study of this paper enables us to
identify important reduced input features in building IDS
that is computationally efficient and effective. We have
also used Data Mining for extracting information from a
dataset that contains user or client details that are
accessing web services and other information.
Implementation of DualShield will help us to expose
various types of attack like Denial of Service Attack
(DOS), SQL Injection and Direct DB Attack.
Keywords - Anomaly detection, Direct database attack,
lightweight virtualization, multitier web application,
SQL Injection.

I.

INTRODUCTION

The Internet is one of the most significant technological


burst through of the 20th century. Internet has a great
influence on our life. Various web services like banking,
online shop-ping, travel, search engines, social
networking, etc have become exceedingly popular as

well as highly complex. The Internet is a global system


of interconnected computer networks that make use of
standard protocol suites. The Internet is world
widespread network. Security is a ultimate component of
every network design. There are various threats to the
network. Hackers are skilled programmers who
understand the details of every network, computer
communications and have knowledge of how to exploit
the vulnerabilities. The web-services particularly run the
application user interface logic and a back-end database
server that consists of a database or file server. As these
services are frequently used, they are highly susceptible
to attack. These attacks have recently become more
diverse, as attention has shifted from attacking the front
end to exploiting vulnerabilities of the web applications,
to corrupt the back-end database system (e. g. , SQL
injection attack)[1]. Although, in multitier architectures,
the back-end database server is often protected behind a
firewall while the web-servers are remotely accessible
over the Internet [5]. The web servers are protected from
direct remote attacks, but the back-end systems are prone
to attacks that use web requests as a means to exploit the
back end [1]. Intrusion Detection Systems help
information systems prepare for, and deal with attacks.

II.

LITERATURE SURVEY

Intrusion Detection System (IDS) Intrusion Detection


Systems have three main components Network Intrusion
Detection system (NIDS), Network Node Intrusion
detection system (NNIDS) and Host Intrusion Detection
Sys-tem (HIDS). Intrusion detection systems have been
widely used to detect known attacks by matching
misused traffic patterns or signatures [3]. Intrusion
Detection Systems is the security management technique
that leverages machine learning which detects unknown
attacks by identifying abnormal network traffic that
deviate the so-called normal behavior. An intrusion is
defined as set of procedures that compromises of
integrity, confidentiality or availability of a resource [1].
Intrusion detection is the process of monitoring and
analyzing the suspicious events occurring in a computer
84

www.ijete.org

International Journal of Emerging Technologies and Engineering (IJETE)


Volume 2 Issue 4, April 2015, ISSN 2348 8050

system in order to detect signs of security problems.


There are two main strategies of IDS: misuse detection
and anomaly detection. Misuse detection attempt to
match signatures and patterns of already known attack in
the network traffic. A constantly updated database is
usually used to store the signatures of known attacks.
Anomaly detection attempts to identify behavior that
does not correspond to normal behavior. This technique
is based on the detection of traffic anomalies. The
anomaly detection systems are adaptive in nature, they
can deal with new attacks, but they cannot identify the
specific type of attack. Many researchers have proposed
and implemented various models for IDS but they often
generate too many false alerts due to their simplistic
analysis [3].

III.

EXISTING SYSTEM

Intrusion detection system examines the network packets


within both the web server and the database system
individually. However, there is very little work being
performed on multi-tiered Anomaly Detection system
that produces models of network behavior for both web
and database interactions. Web services and database
servers are vulnerable. Attacks are generally done by the
web clients. The attackers try to bypass web servers to
attack the database server directly. Database servers are
often protected by the firewall while the web servers are
remotely accessible over the internet. Unfortunately,
even after protecting them from direct remote attacks,
the back-end systems are susceptible to attacks that use
web request as a means to exploit the back end. Web
IDS would merely see typical user login traffic and
database IDS see normal traffic of privileged user.
Attackers could modify the application logic of the web
applications, eavesdrop or hijack another users web
requests, or intercept and modify the database queries to
steal sensitive data beyond their privileges.

IV.

PROPOSED SYSTEM

DualShield is a system used to detect attacks in the


multi-tiered web services. It employs a technique of
assigning dedicated containers that acts as an isolated
virtual computing environment to each users web
session separately. In DualShield detection is done for
both front end and back end. Previously, intrusion
detection or detection of vulnerabilities was done
statically by analyzing the source code. DualShield
provides a way for dynamically tracking the information

flow to understand suspicious occurrence of events and


detect intrusions. DualShield detects SQL injection
attacks by taking the structure of the web request and
database queries with-out looking into the values of
input parameters [6]. In DualShield, we utilize the
dedicated containers ID to separate session traffic as a
way of extracting and identify the relationship between
the web server request and database query event. Our
approach dynamically generates new containers as
required and recycles used ones. As a result a single
physical server runs continuously and serves all the
requests. This system allows a single user always deals
with the same web server so that separate
communications are maintained at the session level. This
enables the session to represent different users to some
extent, and we expect the communication of a single
user to go to the same dedicated web server, thereby
allowing us to identify suspect behavior by both session
and user. The proposed database intrusion detection
system generates more rules as compared to non
weighted approach. There is a need for a mechanism to
find out which of these new rules are useful for detecting
malicious transactions. We plan to use some learning
mechanism to filter out extra rules generated by our
approach.

V.

SYSTEM ARCHITECTURE

The system architecture of DualShield is represented in


Figure 1 as shown below. In DualShield architecture, we
are using the lightweight virtualization technique to
assign a separate web container to each user. Each user
will have a separate web container ID for processing
web request. The use of container makes it easy for
initializing, destroying and lasting for only short-time,
which provides a single container for each user. It is
possible to initialize thousands of containers on a single
system and these virtualized containers can be discarded,
reverted or quickly reinitialized to serve new sessions. In
DualShield approach, new container and recycle used
container are dynamically generated [2]. Figure 1
illustrates the architecture of DualShield. The client
generates an HTTP request and sends it to the Database
server. The Server on the other hand receives the request
and then processes this request. The Server also plays an
important role by managing sessions, maintaining
connection with the database and examining attacks.
Each session is assigned to a dedicated web server and
separated from other sessions. The server produces the
result by generating and processing the queries. This
85

www.ijete.org

International Journal of Emerging Technologies and Engineering (IJETE)


Volume 2 Issue 4, April 2015, ISSN 2348 8050

result is then sent as a response to the clients request.


The server generates the log files. Meanwhile, if we
found or detect abnormal behavior in a session, we will
treat all the network traffic within the session as
infected.

pages. Techniques commonly used in SQL attacks


include comment symbols, identical equations (such as 1
= 1), union queries by using the union statement, and
inserting or modifying data by using the insert or update
statement. SQL injection attacks are much more likely to
happen than other Web attacks and cause more
widespread harms. Such harms include obtaining the
system control right, operating data-bases without
authorization, tempering web page content and adding
system accounts or data-base user accounts. As the
numbers of attack targets and attackers increase, there
have been more and more SQL injection attacks in
recent years. Attackers can use existing vulnerabilities in
the web server logic to inject the data content that
contains the exploits and then use the web server to relay
these exploits to attack the back-end database.
6.3 Direct DB attack

Figure 1: System architecture of DualShield


VI.

ATTACK SCENARIOS

Our system is effective at capturing the following types


of attacks:
6.1 Denial-Of-Service attack
A Distributed Denial-Of-Service (DDoS) or Denial-OfService (DoS) attack is an attempt to make the network
resource or a machine unavailable to its intended users.
This attack generally consist of efforts to temporarily or
indefinitely suspend or interrupt services of a host
connected to the internet. Distributed Denial of
Service(DdoS) are sent by two or more people, and
Denial Of Service (DoS) attacks are sent by one person
or system. One general method of attack involves
saturating the target machine with external
communications request, so much so that it cannot
respond to legitimate traffic, or responds so slowly as to
be rendered essentially unavailable. Such attacks usually
leads to a server overload. Due to this the system is
suspended and does not respond to the user request.

It is possible for an attacker to bypass the web server or


firewalls and connect directly to the database. An
attacker could already have taken over the web server
and be submitting such queries from the web server
without sending web requests. Without matched web
requests for such queries, a web server, IDS could detect
neither. Furthermore, if these DB queries were within
the set of allowed queries, then the database IDS would
not detect it either. However, this type of attack can be
caught with our approach since we cannot match any
web requests with these queries.

VII.

MATHEMATICAL MODEL

Graph No.A.1.1 Finite State Machine of System

6.2 SQL Injection attack

An SQL injection attack works by crafting SQL states


which are combined with the contents submitted by Web

Where SYSTEM= Intrusion Detection and


Prevention System.

SYSTEM= {Q,,,q0,F}

86
www.ijete.org

International Journal of Emerging Technologies and Engineering (IJETE)


Volume 2 Issue 4, April 2015, ISSN 2348 8050

Q= States of the system.


= Finite state of symbols(alphabets)
= Transition function

1= State on left side gets correct input


and transit to next state
0= State on left side gets wrong input
and transit to next state

q0= Start state

F= Final state

Where IQ1 = System with known user database.

Q= {IQ,q1, q2, q3,FID,FIP}

Where IQ= Initial state


The system has started that refers to
database being initialized as well as
system
has started scanning whole network and waiting
for clients.

Client Detected: In this state the client has been


detected as he has requested for services from server by
generating request.
q2 = Unique Key
Unique Key: If the user has provided correct
username and password then the user is prompted to
provide his own unique key.

= Transition Function
: Qx=Q

Output of system= { o/p1, o/p2, o/p3}

Where o/p1 = Detection system output. Decision


taken by the system whether the
request is an intrusion or is not {Yes, No}
o/p2= Prevention system output. Action taken
by the system whether to allow or block the requester
depending on the decision taken by the detection
system{Allow, Block}.

q3 = Creation of log file

o/p3= Log file.

Creation of log file: In this state log file is


automatically created by the system which maintains the
information all the users inspite of the fact that the user
has provided valid information or not. This helps in
future to detect the attacker.
FID= Final state of detection system.
Detection system: This system decides whether
the request is an intrusion or not. If the request is
detected as intrusion, the respective client will be denied.
FIP= Final state of the prevention system.
Prevention system: If the requester is found to
be intruder then this state will block that requester
otherwise will allow.
= { 1,0}

F= {FIP1}

Where FIP1 = Action taken by the system


depending upon the decision of detection system
{Allow, Block}.

q1 = Client Detected

q0= { IQ1 }

Input of system= { i/p1, i/p2}

where i/p1=Request for connection with user is


registered in the systemthat is known client.
i/p2= Request for connection from an
unregistered user that is unknown client.

VIII.

ADVANTAGES

8.1 Accuracy
The accuracy of Intrusion Detection System is
brillant to detect attacks that are based on mismatch
types and signatures. To detect such attacks in multitier
web applications an IDS uses web IDS and database IDS
8.2 Performance

87
www.ijete.org

International Journal of Emerging Technologies and Engineering (IJETE)


Volume 2 Issue 4, April 2015, ISSN 2348 8050

The performance of an intrusion detection


system is the rate at which audit events are processed. If
the performance of the intrusion-detection system is
excellent, then it is possible to detect real-time attacks
8.3 Timeliness

[6] Five common web application vulnerabilities.


http://www. symantec. com/connect/articles/
five-common-web-application-vulnerabilities.
[7] T. Verwoerd and R. Hunt. Intrusion detection
techniques
and
approaches.
Computer
Communications, 25(15), 2002.

An intrusion-detection system performs and


propagates its analysis as quickly as possible so that the
security officer is able to detect the attacks and prevent
the damage that is provoked due to this attacks. It also
preventsthe attacker from subverting the auditsource or
the intrusion-detection system itself.

IX.

CONCLUSION

A conclusion section must be included and should


indicate clearly the advantages, limitations, and possible
applications of the paper. Although a conclusion may
review the main points of the paper, do not replicate the
abstract as the conclusion. A conclusion might elaborate
on the importance of the work or suggest applications.

REFERENCES
[1] SANS, The Top Cyber Security Risks,
http://www. sans. org/ topcybersecurity-risks/, 2011.
[2] Meixing Le, AngelosStavrou, Brent ByungHoon
Kang Doubleguard: Detecting Intrusions
in
Multitier Web Applications, IEEE Transactions
On Dependable and Secure Computing , vol.
9,No. 4, July/August 2012
[3] Network Intrusion Detection System (NIDS)
Using Data Mining Techniques [Online]
Available
on
http://etrx.
spit.
ac.
in/ieee_colloquium/Information_Security/spit265. pdf.
[4] A Data Mining Framework for Building
Intrusion
Detection Models1.
[Online]
Available
on,
http://citeseerx.ist.psu.edu/
viewdoc/download.
[5] Common Vulnerabilities and Exposures,
http://www. cve. mitre. org/, 2011. Frhlich, B.
and Plate, J. 2000. The cubic mouse: a new
device for three-dimensional input.
In
Proceedings of the SIGCHI Conference on
Human Factors in Computing Systems

88
www.ijete.org